HIPAA and the proposed patient privacy rules
David M. Levine, Esq.
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) requires that, if federal legislation establishing comprehensive privacy standards concerning individually identifiable health information was not enacted within three years, the Secretary of the Department of Health and Human Services (the “Secretary”) was required to promulgate rules containing such standards. Congress did not timely enact privacy legislation, and on November 3, 1999 the Secretary published the “Proposed Rule”.
The Proposed Rule occupies nearly 150 pages of the November 3, 1999 Federal Register, and the public comment period was extended until February 17, 2000, during which time approximately 40,000 comments were received. Given the heightened awareness of the privacy implications of the electronic maintenance and transmission of health information and the comprehensiveness of the Proposed Rule, the extent of public comment is not surprising.
The Proposed Rule applies to health care providers, health plans and health care clearinghouses, and if enacted in its present form, would:
· allow health information to be used and shared easily, without having to obtain patient authorization, for the treatment and for payment of health care;
· allow health information also to be disclosed without an individual’s authorization for certain national health priority purposes (such as research, public health and oversight), but only under defined circumstances;
· require written authorization for the use and disclosure of health information for other purposes; and
· create a set of fair information practices to inform people of how their information is used and disclosed, ensure that they have access to information about them, and require health providers (and health plans) to maintain administrative and physical safeguards to protect the confidentiality of health information and protect against unauthorized access.
The Proposed Rule also confers rights upon individuals, including the right to inspect and copy protected health information, to correct misinformation, and to receive notice from a covered entity (including a health care provider) about the uses and disclosures that the covered entity may make.
The Proposed Rule also contemplates that covered entities will:
· implement basic safeguards to protect protected health information from inappropriate access, use or disclosure;
· appoint a privacy official;
· develop a privacy training program for employees;
· provide some means for individuals to lodge complaints about the covered entity’s information practices; and
· develop a system of sanctions of employees and “business partners” who violate the entity’s policies and procedures.
The purpose of these requirements is to ensure that covered entities make explicit decisions about who would have access to protected health information, how that information would be used within the entity, and when that information would or would not be disclosed to others and under what conditions.
HIPAA provides that the rule promulgated by the Secretary will not preempt (i.e., override) state laws that are in conflict with the rule and that provide greater privacy protections. HIPAA grants the Secretary the authority to impose civil monetary penalties against violators (up to $25,000 for each calendar year for each provision that is violated), and also provides for criminal penalties for certain wrongful disclosures. HIPAA does not provide for a private right of action (i.e., the right to sue and recover) for individuals.
It remains to be seen whether Congress will enact comprehensive privacy legislation (which the Secretary and President Clinton support), and if (and when) the Secretary will publish a final rule. Although the dates by which covered entities would need to comply with a federal privacy standard are years away, providers should take steps to ensure compliance with currently applicable law concerning the confidentiality of health information.
Benesch, Friedlander, Coplan & Aronoff LLP
2300 BP Tower
Cleveland, OH 44114-2378
(216) 363-4511
email: dlevine@bfca.com